iptables formerly known as ipchains is a command line interface that controls access rules for netfilter. netfilter is a packet filtering frame work for the 2.4 and later series linux kernel. i.e. the firewall.

By default there are no rules and the policies are to ACCEPT all traffic inbound and outbound.

These terms are important to know when working with iptables:

• Tables - a container for the chains
• Chains - the direction of the packet
• Targets - what is going to happen to the packet

These are important.

Tables (hence iptables):

• filter - this is the default. If you don't specify a table it goes here.
• mangle contains rules to mangle packet headers
• nat rules for Network Address Translation
• raw rules for packets regardless of state.

You can also create custom tables. In the rule the -j parameter is for jump which can be another table.

Chains operate within the tables.

iptables -t filter -A INPUT -m connlimit ...

Use extensions with the -m or match argument.

This example will load the connlimit module.

connlimit limits connections

From the iptables man pages:

• --connlimit-upto n number of existing connections is below n
• --connlimit-above n number of exiting connections
• --conlimit-mask 0-32 the subnet mask
• --conlimit-saddr apply the rule to the source
• --conlimit-daddr apply the rule to the destination

1 routeA 2 routeB allow-hotplug eth0 iface eth0 inet static    address 192.168.1.94/24    gateway 192.168.1.1    post-up ip route add 192.168.1.0/24 dev eth0 src 192.168.1.94 table routeA    post-up ip route add default via 192.168.1.1 dev eth0 table routeA    post-up ip rule add from 192.168.1.94/32 table routeA    post-up ip rule add to 192.168.1.95/32 table routeA allow-hotplug eth1 iface eth1 inet static    address 192.168.2.36/24    gateway 192.168.2.1    post-up ip route add 192.168.2.0/24 dev eth0 src 192.168.2.36 table routeB    post-up ip route add default via 192.168.2.1 dev eth0 table routeB    post-up ip rule add from 192.168.2.36/32 table routeB    post-up ip rule add to 192.168.2.36/32 table routeB

The situation. We have a multihomed machine that operates on two different networks.

• Network A - 192.168.1.0/24
• Network B - 192.168.2.0/24

We must do three things to address this situation:

• Create two routing tables - done in the /etc/iproute2/rt_tables
• Add a route to the interfaces file for each interface
• Add a rule to the interfaces file for each nic.

First the tables file... in the /etc/iproute2/rt_tables file add two lines...

This indicates that route 1 is routeA and route 2 is routeB

Next add the routes to the /etc/network/interfaces file for the first network card (eth0) that will operate on routeA i.e. 192.168.1.0.

This tells the system to use eth0 for anything addresses to or from 192.168.1.0/24.

Next in the same file add a second stanza, routes and rules to address the second network (192.168.2.0/32).